Targeted threats are a growing problem in the world of information security. Sometimes referred to as advanced persistent threats (APTs), targeted threats may include stealthy and continuous hacking processes, orchestrated by groups that are capably of effectively targeting a specific entity. APTs may originate from nation-states or organized crime and may threaten the security of an organization in a variety of ways. Sensitive data is commonly targeted, causing monetary and reputation damages to affected organizations. APTs may be designed to steal intellectual property, financial details of customers and employees, organizational strategy information, or any other type of confidential data. APTs may also be designed to destroy valuable data or sabotage computer-controlled systems. The operations of an APT may involve modifying sensitive files, such as configuration files or operating system files, for the purpose of establishing backdoors, escalating privilege, or otherwise weakening security systems.
System administrators often have trouble identifying or detecting targeted threats, since the behavior of these attacks often appear to be similar to the behavior of legitimate non-malicious users. Targeted threats may involve the same or similar commands and applications used by legitimate, non-malicious users to use or manage systems, in an attempt to mask illegitimate traffic and/or behavior, potentially frustrating the efforts of system administrators to distinguish between the same.
Attempts to detect and intercept stolen confidential data at points where the organization connects to the outside world may prove ineffective, in part due to the volume of data to be scrutinized, but also because by the time confidential data reaches that point it may have been extracted, compressed, encrypted, and possibly even concealed within non-confidential data. Accordingly, the instant disclosure identifies and addresses a need for additional and improved systems and methods for protecting data files.